WireGuard for Windows is still in pre-alpha, but it's looking very good.

Share this story

WireGuard 0.0.14 pre-alpha, running on an x1.small machine at packet.net. It's uploading across a WireGuard tunnel at 1.2Gbps to a Linux machine, also at packet.

Jim Salter

Here, it's downloading across a WireGuard tunnel at 348Mbps from a Linux machine, also at packet.

Jim Salter

WireGuard is a new peer-to-peer VPN technology that has the potential for greater speed, smaller attack surface, and easier configuration than commonly used and better-established VPN platforms such as OpenVPN and IPSec. It has been available on Linux, FreeBSD, macOS, Android, and even iOS for quite some time now, with Windows being the one platform frustratingly missing. There are good reasons for that—lead developer Jason Donenfeld didn't want to inherit the problems of OpenVPN's OpenTAP adapter code, and when he investigated Microsoft's built-in VPN API, he didn't like that either. So his first move was to take a giant step backward on the Windows platform and develop an extremely simple virtual adapter that could be used not only for WireGuard, but also for other projects that might need the same kind of very basic, socket-and-tunnel functionality. This became Wintun.

previous WireGuard coverage on Ars

If you're not sure what the fuss about WireGuard is, we've got you covered. In short, it's a completely new VPN protocol that aims to be completely secure by default, using orders of magnitude fewer lines of code and much simpler configuration files than earlier protocols like OpenVPN or IPSec. For more detail, check out our earlier WireGuard coverage:

For the moment, WireGuard for Windows is still in what creator Jason Donenfeld refers to as "pre-alpha," with an alpha build due out sometime in the next week or two. The good news is that it's an easy install now, with no dev-fu required to get it running happily on a Windows 10 (or Server 2016, as seen below) system. There are self-contained, signed MSI installers for both 64-bit and 32-bit builds there; downloading and running them just works, with no complaints from Defender about unsigned or untrusted anything. I was curious about what makes v0.0.14 "pre-alpha" rather than merely "alpha." Donenfeld told me one reason he called it pre-alpha was to keep journalists like me (as well as the generally unadventurous) from writing about it before it's ready.

Pressed for more detail, it became clear that he's laser-focused on security—and Windows as a platform diverges far more radically from Linux, Android, macOS, and iOS in that regard than any of them do from one another. There's no access to Windows kernel source code, and the documentation is insufficient for his needs. As a result, he has spent hundreds of hours in a disassembler, reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with.

The WireGuard-Windows project maintains an attack surface document specifically documenting possible ways to attack the code, and while we were chatting on Twitter, Donenfeld finished a fascinatingly detailed mailing list post about Windows' Network Location Awareness Signatures. All this makes it very clear that the Windows port of WireGuard isn't really "just a port"; it's a ground-up project in its own right, with a level of platform-specific attention to detail that would shame most Windows-native developers.

With all my questions about the current and near-future state of the project answered, I downloaded the current version of WireGuard for Windows and took it for a quick spin on a bare metal Windows 2016 instance at Packet. The short version: it's pretty sweet.

Once the installer for WireGuard has run, a close facsimile of the mobile interface you'd see on WireGuard for Android, iOS, or macOS pops up. You can easily import, export, activate, deactivate, or destroy tunnel configurations. Tunnel configuration can be imported either directly from a raw .conf file (format just like the ones used in text-based Linux configs in our prior coverage) or from a ZIP file that can contain multiple tunnels. The interface is barebones and offers no hand-holding, but it works very well—even including a context-sensitive text editor that catches and red-underlines many common errors, such as invalid IPv4 or IPv6 addresses.

You can either import a tunnel from an existing .conf or .ZIP file or create one from scratch within the WireGuard app itself.

Jim Salter

The built-in WireGuard editor is a nice surprise—it's context-sensitive, and it automatically highlights common errors, such as invalid IPv4 or IPv6 address formats.

Jim Salter

In one last and particularly appreciated touch, it turns out that tunnel states persist across reboot—if you had a tunnel active when you restart your Windows machine, it will automatically activate itself after the reboot; there's no need to run the UI or do anything else to restart it. Similarly, if a tunnel was deactivated at shutdown or reboot, it will still be down after the machine restarts.

Beyond all this, if you know how to use WireGuard on other platforms, you know how to use it on Windows. Connection times are still instantaneous, and the throughput is good. I achieved 1.2Gbps upload throughput across a WireGuard tunnel from the Windows 2016 machine above to a Linux machine (also at Packet). Download throughput across the tunnel capped at 380Mbps, but Donenfeld says that's a known bug that has been fixed in master, and the improved, faster code will be available to the general public in the upcoming 0.1 alpha release.

I switched over to Wireguard for most of my VPN usage (some endpoints still require OpenVPN, thanks Synology) and I've been surprised at how much I enjoy it.

The setup is a bit of a bear if you have never done it before and has a bit of a learning curve, but once it is running it's very fast and responsive. Mobile usage in particular is very nice because if you have interrupted service or transition from wifi to 4g the reconnect period is typically within 1 second.

With that said, I use Wiregaurd for personal VPN use fully understanding the pre-release nature of it. If you need reliable connectivity, especially in a professional sense, I would stick to using more mature solutions like OpenVPN or a dedicated appliance.

The setup is a bit of a bear if you have never done it before and has a bit of a learning curve, but once it is running it's very fast and responsive. Mobile usage in particular is very nice because if you have interrupted service or transition from wifi to 4g the reconnect period is typically within 1 second.

To get good market penetration, you really need something stupid-simple. I hope it gets to that state.

Related, I'm glad it supports a pre-made config file. That will allow more technically-astute ones to support others not as adept.

This has been one of my favourite ongoing series at Ars, gradually watching this thing evolve. I'm more a back-end dev than a sysadmin, but I still find it fascinating

That reminds me. When can we expect an article on SQRL?

:: searches ::

Dammit Steve Gibson... You can't actually put your own code into the public domain. 😠

Wait, you can't? Why not? CC-0, for example, is explicitly for this purpose, I thought..

Or maybe you meant "shouldn't?" Releasing his code as public domain would make malicious forks much easier and more confusing..

It comes down to technicalities. Technically, CC0 is a copyright license, while something in the Public Domain would not be copyrighted or copyrightable and would need no license. In practicality, CC0 is as close to Public Domain as you can get, while not being Public Domain.

Effectively if Steve Gibson wants his code to be in the Public Domain, he should actually license it under CC0.

This has been one of my favourite ongoing series at Ars, gradually watching this thing evolve. I'm more a back-end dev than a sysadmin, but I still find it fascinating

That reminds me. When can we expect an article on SQRL?

:: searches ::

Dammit Steve Gibson... You can't actually put your own code into the public domain. 😠

Wait, you can't? Why not? CC-0, for example, is explicitly for this purpose, I thought..

Or maybe you meant "shouldn't?" Releasing his code as public domain would make malicious forks much easier and more confusing..

It comes down to technicalities. Technically, CC0 is a copyright license, while something in the Public Domain would not be copyrighted or copyrightable and would need no license. In practicality, CC0 is as close to Public Domain as you can get, while not being Public Domain.

Effectively if Steve Gibson wants his code to be in the Public Domain, he should actually license it under CC0.

That makes no sense - if you want the code to actually be public domain, you would ACTUALLY make it public domain, not CC0.

reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with.

Oh no no no. There's a reason for that. The APIs don't change but the low-level stuff might when MS updates those components. If you rely on undocumented low-level stuff, it's not a matter of if it will break, but when.

reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with.

Oh no no no. There's a reason for that. The APIs don't change but the low-level stuff might when MS updates those components. If you rely on undocumented low-level stuff, it's not a matter of if it will break, but when.

Agreed but I guess the developer isn’t that daft. He’s probably peeking under the hoods to understand how it works but is still sticking to the official OS APIs? Least that’s what I’d hope for.

Else he really needs to talk to the Microsoft kernel devs - there is an entire team responsible for just that.

Has there been a formal review of the wireguard security so far? The homepage states that there has been none so it might be a bit iffy to start using it considering that it has unknown security.

There has been some analysis of the protocol, including this one which recommends a change to simplify cryptographic analysis: https://eprint.iacr.org/2018/080.pdf It looks like they didn't find any actual problems. I don't know if the change has been implemented in Wireguard.

The big selling point of Wireguard is that the codebase is tiny, as in 1% the size of other VPN software. That gives problems much less space to hide.

Btw, on an unrelated issue: I see that Jason actually made the pullrequest to have wireguard included in the kernel.

Can I just once again state my love for it and hope it gets mergedsoon? Maybe the code isn't perfect, but I've skimmed it, and comparedto the horrors that are OpenVPN and IPSec, it's a work of art.

Linus

If you you are familiar with Linus' style, "maybe not perfect" is a high prize

Actually, if I remember it correctly, one of the main design goals for Wireguard code was to make security audit easy: have small, readable, and well-structured code, and "as simple as possible but no simpler" protocol.

This has been one of my favourite ongoing series at Ars, gradually watching this thing evolve. I'm more a back-end dev than a sysadmin, but I still find it fascinating

That reminds me. When can we expect an article on SQRL?

:: searches ::

Dammit Steve Gibson... You can't actually put your own code into the public domain. 😠

Wait, you can't? Why not? CC-0, for example, is explicitly for this purpose, I thought..

Or maybe you meant "shouldn't?" Releasing his code as public domain would make malicious forks much easier and more confusing..

It comes down to technicalities. Technically, CC0 is a copyright license, while something in the Public Domain would not be copyrighted or copyrightable and would need no license. In practicality, CC0 is as close to Public Domain as you can get, while not being Public Domain.

Effectively if Steve Gibson wants his code to be in the Public Domain, he should actually license it under CC0.

I am not a lawyer, but I spent a significant amount of time talking with Creative Common's General Counsel on this subject. CC-0 is a release into public domain, _and_ it is also a license. The reason it is both is because public domain works differently in different countries, and CC-0 tries to provide licenses where public domain is inadequate in some jurisdictions. (To the best of my knowledge and memory from those conversations).

Microsoft are a lot more open these days. Are there better paths to get access to internals for projects in supported manners? Some of these calls into retired functions are likely to cause issues at a random time in the future.

I've been using Wireguard on Windows via TunSafe for a while now. It's much faster than IPSec based VPNs, much lower CPU load. Seems very reliable too, connects instantly and rarely drops.

What makes IPSec so much slower and/or less reliable than WireGuard?

It isn't. If you use poor quality drivers and implementations you can get benchmarks showing IPSec as slower than WireGuard -- which is what I keep seeing in the press. Good IPSec leverages AES-NI acceleration on the CPU, and the only slower part by a few ms might be the DH processes as SPIs are created. IPSec has the same computational and network overhead as SSL/TLS.

Wireguard gets a big circle jerk about fast connection times, but my experience is the only "slow" part of IPSec / SSL based firewall clients is the IP address assignment and OS route injection. Usually about 200-1200 ms on a bad day. I have heard OpenVPN is slow to connect, but that would be like using a Playskool hammer to frame a house in my world.

I switched over to Wireguard for most of my VPN usage (some endpoints still require OpenVPN, thanks Synology) and I've been surprised at how much I enjoy it.

The setup is a bit of a bear if you have never done it before and has a bit of a learning curve, but once it is running it's very fast and responsive. Mobile usage in particular is very nice because if you have interrupted service or transition from wifi to 4g the reconnect period is typically within 1 second.

With that said, I use Wiregaurd for personal VPN use fully understanding the pre-release nature of it. If you need reliable connectivity, especially in a professional sense, I would stick to using more mature solutions like OpenVPN or a dedicated appliance.

I hear about OpenVPN in commercial use all the time, but never see it. Everyone from medium sized business and up just use the IPSec / SSL client / clientless options their firewall vendor offers. I guess I ran across one customer using Windows PPTP with a Windows server when I did MSP / VAR work, but that was at a 12 person marketing company 7 years ago. And they would be better served with some kind of cloud-based service or getting a Fortigate or ASA 5506 with a few user VPN licences.

If you really want to beat off about encrypted bandwidth, the solution is a decent GPU and PacketShader. A pair of GTX 285s with early code ran about 5.3 Gb/s on crappy 64 byte packets and a pair of GTX 480s ran at 20+ Gb/s once the packets are over 512 b, and those didn't even leverage RDMA and the process ran in user space. nVidia + Mellanox should be an interesting marriage.

As a result, he has spent hundreds of hours in a disassembler, reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with.

That sounds like a software maintenance nightmare. How can he guarantee that how he interfaces with the kernel will continue to work with future updates to the OS? What does this mean for future support on Windows? Aren't developers who need special access to the kernel for their work able to contact Microsoft to strike a special deal that lets them get access to the source code under NDA? That could at least give him a window into coming changes without having to be purely reactionary and having to reverse engineer things all over again if something breaks.

Pressed for more detail, it became clear that he's laser-focused on security—and Windows as a platform diverges far more radically from Linux, Android, macOS, and iOS in that regard than any of them do from one another.

Seeing how those listed are linux or unix based as opposed to Windows NOT being so - no sh*t.

I switched over to Wireguard for most of my VPN usage (some endpoints still require OpenVPN, thanks Synology) and I've been surprised at how much I enjoy it.

The setup is a bit of a bear if you have never done it before and has a bit of a learning curve, but once it is running it's very fast and responsive. Mobile usage in particular is very nice because if you have interrupted service or transition from wifi to 4g the reconnect period is typically within 1 second.

With that said, I use Wiregaurd for personal VPN use fully understanding the pre-release nature of it. If you need reliable connectivity, especially in a professional sense, I would stick to using more mature solutions like OpenVPN or a dedicated appliance.

Just curious, what about the set up was tough? I'm looking at a sample guide for installing Wireguard on my Pi, and that config looks so much easier than when I set up OpenVPN.

This has been one of my favourite ongoing series at Ars, gradually watching this thing evolve. I'm more a back-end dev than a sysadmin, but I still find it fascinating

That reminds me. When can we expect an article on SQRL?

:: searches ::

Dammit Steve Gibson... You can't actually put your own code into the public domain. 😠

Wait, you can't? Why not? CC-0, for example, is explicitly for this purpose, I thought..

Or maybe you meant "shouldn't?" Releasing his code as public domain would make malicious forks much easier and more confusing..

No, I meant "can't", exactly as I said. You absolutely can license your code CC-0, and that has real meaning, which is well-understood and works the same way anywhere. If you don't want CC-0, you could similarly use the Unlicense. Or even the WTFPL.

However, you literally cannot place your own code into the public domain. You don't control what is or is not in the public domain, governments do. They have different rules about it in different places, and the rule in the place a user happens to be trumps the rule in the place any given creator happened to be when originally creating the thing. Saying "this is public domain" grants no actual usage rights, because it's a demonstrably false statement. Copyright still applies, with no rights actually legally granted by the creator to any users.

As a result, he has spent hundreds of hours in a disassembler, reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with.

That sounds like a software maintenance nightmare. How can he guarantee that how he interfaces with the kernel will continue to work with future updates to the OS? What does this mean for future support on Windows? Aren't developers who need special access to the kernel for their work able to contact Microsoft to strike a special deal that lets them get access to the source code under NDA? That could at least give him a window into coming changes without having to be purely reactionary and having to reverse engineer things all over again if something breaks.

I don't think any open-source projects are allowed to touch the Windows source code by design. I know I wouldn't want to ever see it, as someone who occasionally writes open-source code, because I wouldn't want there to be any chance I might accidentally remember how they implemented a function or something.

I'm interested and excited at the possibilities offered by WireGuard (and a good Windows implementation would rock a lot of people's world), but, respectfully, the language used at times in this article read more like hyperbole spewed out by an excited fan boi (or sponsored ad copy) than anything resembling skeptical journalistic integrity. This kind of bubbly, fact-lite reporting reminds me of the early days of reporting on Theranos. For example:

"As a result, he has spent hundreds of hours in a disassembler, reverse-engineering ntoskrnl.exe and ndis.sys to make absolutely sure he understands exactly what's going on at an extremely low level most developers never bother with."

"it's a ground-up project in its own right, with a level of platform-specific attention to detail that would shame most Windows-native developers."

Who are these "most developers", and what surveying or metrics did you use to measure their research and attention to detail? I get that you're excited, or want to appear that you are, but put on your journalist pants and give us just the facts, sir.

This has been one of my favourite ongoing series at Ars, gradually watching this thing evolve. I'm more a back-end dev than a sysadmin, but I still find it fascinating

That reminds me. When can we expect an article on SQRL?

:: searches ::

Dammit Steve Gibson... You can't actually put your own code into the public domain. 😠

Wait, you can't? Why not? CC-0, for example, is explicitly for this purpose, I thought..

Or maybe you meant "shouldn't?" Releasing his code as public domain would make malicious forks much easier and more confusing..

No, I meant "can't", exactly as I said. You absolutely can license your code CC-0, and that has real meaning, which is well-understood and works the same way anywhere. If you don't want CC-0, you could similarly use the Unlicense. Or even the WTFPL.

However, you literally cannot place your own code into the public domain. You don't control what is or is not in the public domain, governments do. They have different rules about it in different places, and the rule in the place a user happens to be trumps the rule in the place any given creator happened to be when originally creating the thing. Saying "this is public domain" grants no actual usage rights, because it's a demonstrably false statement. Copyright still applies, with no rights actually legally granted by the creator to any users.

even in German courts, there is the concept of equitable relief, and in particular, equitable estoppel. basically, if someone publicly and verifiably dedicates their work "to the public domain," the court will not allow them to come back and change their position later to the detriment of someone who reasonably relied on the public and verifiable dedication.

the CCO waiver is a rube goldberg attempt to make the estoppel defense as clearly applicable as possible, but it works against itself by, for example, requiring that "When using or citing the work, you should not imply endorsement by the author or the affirmer," which implies author control still exists.

effectively, you get the same protection if someone just publicly and verifiably dedicates the work to the public. it's at least effective in the US and a wide variety of countries. moreover, with respect to Steve specifically, you know his dedication is comprehensive in his own mind (it's not just some random dude on the internet who could be intending to lay a legal trap).